fix: do not share token with http app urls (coder#17720)

BrunoQuaresma · web-flow · commit 857587b35d3e · 2025-05-08T09:51:10.000-03:00
It's a security issue to share the API token, and the protocols that we actually want to share it with are not HTTP and handled locally on the same machine. Security issue introduced by coder#17708
diff --git a/site/src/modules/resources/AppLink/AppLink.tsx b/site/src/modules/resources/AppLink/AppLink.tsx
@@ -106,7 +106,11 @@ export const AppLink: FC<AppLinkProps> = ({ app, workspace, agent }) => {
 
 					event.preventDefault();
 
-					if (app.external) {
+					// HTTP links should never need the session token, since Cookies
+					// handle sharing it when you access the Coder Dashboard. We should
+					// never be forwarding the bare session token to other domains!
+					const isHttp = app.url?.startsWith("http");
+					if (app.external && !isHttp) {
 						// This is a magic undocumented string that is replaced
 						// with a brand-new session token from the backend.
 						// This only exists for external URLs, and should only
